[NCLUG] Bandwidth throttling when SIP connection is in progress.

[John Gilmore]

I'd like to setup my firewall to severely throttle all TCP traffic
when there is a SIP connection in progress.

Since the asterisk server is on the same box, I could use the
"condition" module, something like:
iptables -I INPUT -p tcp --source !$LOCALNET --destination-port !sip
-m condition --condition SIPCALL -m fuzzy --lower-limit 75
--upper-limit 110 -j drop

And then have asterisk write 1 at the start of the call and 0 at the
end. I don't like that solution because if the server dies (or, more
likely) I configure it wrong, it'll do the wrong thing. And I'm
certain there are corner cases I haven't thought about and would like
to not have to think about.

What I'd like is to test from within iptables to see if there is a SIP
connection is progress, and filter based on that. Something like:

iptables -I INPUT -p udp -m mport --ports 5061,5060,5004 -m recent --set
iptables -I INPUT -p tcp --source !$LOCALNET --destination-port !sip
-m recent --update --seconds 30 -m fuzzy --lower-limit 75
--upper-limit 110 -j drop

But that doesn't work, because I can't check the "recent" module's
state when the packet I'm filtering is from a different source IP. Is
there some other option that would keep the logic inside netfilter?
I'm thinking not, but it would be *so* much more elegant if there was.
I really don't like the "have asterisk indicate the start and end of a
call" as it doesn't work with SIP calls from inside the network, and
doesn't deal well with asterisk server problems.

OTOH, if the asterisk server goes down, the phones don't work anyway...